[PATCH RFC v2 10/12] KEYS: link system_trusted_keys to mok_trusted_keys

[PATCH RFC v2 00/12] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-07-26
[PATCH RFC v2 04/12] integrity: add add_to_mok_keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-07-26
[PATCH RFC v2 03/12] integrity: Trust MOK keys if MokListTrustedRT found · Eric Snowberg <eric.snowberg@oracle.com> · 2021-07-26
[PATCH RFC v2 07/12] integrity: add new keyring handler for mok keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-07-26
[PATCH RFC v2 11/12] integrity: Do not allow mok keyring updates following init · Eric Snowberg <eric.snowberg@oracle.com> · 2021-07-26
[PATCH RFC v2 10/12] KEYS: link system_trusted_keys to mok_trusted_keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-07-26
Re: [PATCH RFC v2 10/12] KEYS: link system_trusted_keys to mok_trusted_keys · Mimi Zohar <zohar@linux.ibm.com> · 2021-08-05
Re: [PATCH RFC v2 10/12] KEYS: link system_trusted_keys to mok_trusted_keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-06
Re: [PATCH RFC v2 10/12] KEYS: link system_trusted_keys to mok_trusted_keys · Mimi Zohar <zohar@linux.ibm.com> · 2021-08-06
Re: [PATCH RFC v2 10/12] KEYS: link system_trusted_keys to mok_trusted_keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-06
Re: [PATCH RFC v2 10/12] KEYS: link system_trusted_keys to mok_trusted_keys · Mimi Zohar <zohar@linux.ibm.com> · 2021-08-06
Re: [PATCH RFC v2 10/12] KEYS: link system_trusted_keys to mok_trusted_keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-06
[PATCH RFC v2 12/12] integrity: store reference to mok keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-07-26
[PATCH RFC v2 05/12] integrity: restrict INTEGRITY_KEYRING_MOK to restrict_link_by_system_trusted_or_ca · Eric Snowberg <eric.snowberg@oracle.com> · 2021-07-26
[PATCH RFC v2 01/12] integrity: Introduce a Linux keyring for the Machine Owner Key (MOK) · Eric Snowberg <eric.snowberg@oracle.com> · 2021-07-26
[PATCH RFC v2 02/12] KEYS: CA link restriction · Eric Snowberg <eric.snowberg@oracle.com> · 2021-07-26
Re: [PATCH RFC v2 02/12] KEYS: CA link restriction · Mimi Zohar <zohar@linux.ibm.com> · 2021-08-05
[PATCH RFC v2 09/12] KEYS: add a reference to mok keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-07-26
[PATCH RFC v2 08/12] integrity: Suppress error message for keys added to the mok keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-07-26
[PATCH RFC v2 06/12] integrity: accessor function to get trust_moklist · Eric Snowberg <eric.snowberg@oracle.com> · 2021-07-26
Re: [PATCH RFC v2 00/12] Enroll kernel keys thru MOK · Mimi Zohar <zohar@linux.ibm.com> · 2021-08-03
Re: [PATCH RFC v2 00/12] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-03
Re: [PATCH RFC v2 00/12] Enroll kernel keys thru MOK · Mimi Zohar <zohar@linux.ibm.com> · 2021-08-04
Re: [PATCH RFC v2 00/12] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-08-04
Re: [PATCH RFC v2 00/12] Enroll kernel keys thru MOK · Mimi Zohar <zohar@linux.ibm.com> · 2021-08-05

STALE1770d

Revisions (8)

2021-07-07 rfc [diff vs current]
2021-07-26 v2 current
2021-08-12 v3 [diff vs current]
2021-08-19 v4 [diff vs current]
2021-09-07 v5 [diff vs current]
2021-09-14 v6 [diff vs current]
2021-11-16 v7 [diff vs current]
2021-11-24 v8 [diff vs current]

From: Eric Snowberg <eric.snowberg@oracle.com>
Date: 2021-07-26 17:15:40
Also in: keyrings, linux-integrity, linux-security-module, lkml
Subsystem: certificate handling, the rest · Maintainers: David Howells, David Woodhouse, Linus Torvalds

Allow the .mok keyring to be linked to either the builtin_trusted_keys
or the secondary_trusted_keys. If CONFIG_SECONDARY_TRUSTED_KEYRING is
enabled, mok keys are linked to the secondary_trusted_keys.  Otherwise
they are linked to the builtin_trusted_keys.  After the link is created,
keys contained in the .mok keyring will automatically be searched when
searching either builtin_trusted_keys or secondary_trusted_keys.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
v2: Initial version
---
 certs/system_keyring.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index dcaf74102ab2..b27ae30eaadc 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c

@@ -45,6 +45,15 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring,
 				     const union key_payload *payload,
 				     struct key *restriction_key)
 {
+	/* If the secondary trusted keyring is not enabled, we may link
+	 * through to the mok keyring and the search may follow that link.
+	 */
+	if (mok_trusted_keys && type == &key_type_keyring &&
+	    dest_keyring == builtin_trusted_keys &&
+	    payload == &mok_trusted_keys->payload)
+		/* Allow the mok keyring to be added to the builtin */
+		return 0;
+
 	return restrict_link_by_signature(dest_keyring, type, payload,
 					  builtin_trusted_keys);
 }

@@ -91,6 +100,15 @@ int restrict_link_by_builtin_and_secondary_trusted(
 		/* Allow the builtin keyring to be added to the secondary */
 		return 0;
 
+	/* If we have a secondary trusted keyring, it may contain a link
+	 * through to the mok keyring and the search may follow that link.
+	 */
+	if (mok_trusted_keys && type == &key_type_keyring &&
+	    dest_keyring == secondary_trusted_keys &&
+	    payload == &mok_trusted_keys->payload)
+		/* Allow the mok keyring to be added to the secondary */
+		return 0;
+
 	return restrict_link_by_signature(dest_keyring, type, payload,
 					  secondary_trusted_keys);
 }

@@ -321,5 +339,8 @@ void __init set_platform_trusted_keys(struct key *keyring)
 void __init set_mok_trusted_keys(struct key *keyring)
 {
 	mok_trusted_keys = keyring;
+
+	if (key_link(system_trusted_keys, mok_trusted_keys) < 0)
+		panic("Can't link (mok) trusted keyrings\n");
 }
 #endif

-- 
2.18.4

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help